Over the next few weeks, President Barack Obama will consider adopting recommendations to revamp the National Security Agency’s data collection program and mandate stricter policies for securing federal networks from insiders.
The Review Group on Intelligence and Communications Technologies, a panel the president created in August following classified leaks by former NSA contractor Edward Snowden, released a total of 46 recommendations Wednesday.
Some recommendations in the 308-page report would require congressional approval, such as enacting legislation to terminate the government’s storage of bulk telephony meta-data, moving instead to a system in which private providers or a private third party would maintain the data.
The president is expected to comment in January on the White House’s overall review of signals intelligence and plans to implement the recommendations.
The panel also called for major reforms of the intelligence system, including making the director of NSA a Senate-confirmed position rather than allowing the president alone to make that decision and appointing a civilian to head the agency. This would increase transparency and accountability, according to the report.
The White House pre-emptively rejected one of the recommendations, to split the offices of director of NSA and head of US Cyber Command into separate positions.
In terms of NSA’s mission, the agency should not assume the lead for programs that are primarily domestic in nature, the report notes. “Missions that do not involve the collection of foreign intelligence should generally be assigned elsewhere.”
The recommendations, if enacted, would not only affect the NSA but also change the way government agencies defend their networks, encrypt data and invest in security monitoring tools.
Agencies are still struggling to implement a two-year-old executive order aimed at thwarting insider threats. “We have found that the implementation of that directive has been at best uneven and far too slow,” the report said. Oversight by the Office of Management and Budget and National Security Staff “was not performed at a sufficiently high level,” and agency officials that failed to comply with deadlines were not held accountable.
The administration has not redirected adequate funding for the program, the report found.
The panel recommended that deadlines under the executive order be accelerated and enforced by a deputy assistant to the president and agencies receive adequate funding. The report acknowledges that implementing some of the recommendations would come with a cost but how much was not determined.
Regarding encryption of federal data, the panel said the government should fully support efforts to create encryption standards, not undermine them by weakening or making vulnerable commercial software.
Documents that Snowden leaked reported that the NSA worked to undermine Internet encryption standards, an area that National Institute of Standards and Technology oversees. The head of NIST has denied allegations that his agency conspired with NSA to weaken Internet encryption standards.
The new report appears to discount the concern altogether. “Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data,” the report reads. “Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or ‘backdoor,’ that makes it possible for the US government or anyone else to achieve unauthorized access.”
The report advises government to increase the use of encryption and urge US companies to do the same. This would better protect data in transit, at rest, in the cloud or other storage areas. The report suggests the creation of so-called project enclaves on government classified networks, to further segment and protect data through various means, including firewalls and requiring users to have multiple forms of identification, like biometrics, in order to access data.
Today most data residing on classified networks are not encrypted, but rather the networks themselves and data traversing the network are encrypted, the report said. But encrypting data at rest and in transit and linking it with software to verify a user’s identity and manage network privileges would prevent unauthorized users from reading data even if they do access that data.
The report also raises concerns about privacy and civil liberties issues, as it relates to certain information technology such as big data analytics, cloud computing and social networking. It recommends that agencies stay current in assessing the technological advances with these technologies.